Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

Tackling Mobile phishing within the Financial industry

By Tom Davison, EMEA Technical Director at Lookout

Cyberattacks and the financial services industry unfortunately go hand in hand, but why? It’s simple: cybercriminals follow the money and the highly sensitive data stored within the confines of these institutions. Recently, we’ve seen the destructive nature of cyberattacks with established financial enterprises like Capital One,JP Morgan,Equifax andMetro Bank all suffering  data breaches. In the UK, financial services saw afivefold rise in data breaches in 2018 compared to 2017, while more than a third of all phishing attacks were aimed at this sector. According to the latest Verizon Data Breach Report, phishing was involved in 32 percent of confirmed breaches, as well as 78 percent of cyber-espionage incidents. While phishing can take many forms, one in particular is growing in popularity amongst cybercriminals: mobile phishing.

Tom Davison
Tom Davison

The issue of mobile phishing

Financial organisations were some of the first to adopt a mobile workforce. As the industry moved forward, so too did the demands for mobile productivity. With employees now regularly working on the go, and with the introduction of more power capabilities from iOS and Android, handheld devices are everywhere. Today, it’s not unusual to have banks use tablets to check in customers or for employees to share files via cloud sharing applications. Mobile devices have now become the favoured device to operate from, and while it can improve efficiency and cut costs across the working environment, it has introduced greater exposure to mobile threats such as phishing, malicious apps, and OS vulnerabilities.

As mentioned, mobile phishing is considered a critical threat in the financial industry as hackers are using sophisticated methods to target the weakest element in security – humans; and there are a few ways to phish a mobile device:

  • Personal and corporate email – Attackers can design an email to look and sound genuine, tricking employees into handing over sensitive data.  Traditional secure email gateways block potential phishing emails and malicious URLs, which works for protecting corporate email from phishing attacks, but neglects personal email.
  • Business Email Compromise (BEC) attacks are a common challenge in the financial industry, with cybercriminals imitating senior members of staff, often C-level executives, to trick unsuspecting employees into wiring payments or transferring funds to alternate bank accounts.
  • SMS messaging and online messaging platforms – many of the tactics used for personal email attacks are used when targeting individuals over social media and messaging applications. Cybercriminals have evolved with the times, channelling their aggressive attacks to lure users to click or download malicious content through instant messaging sites.
  • Malicious ad networks – this is where apps use URLs in their backends to communicate with other services. If a malicious URL is tapped, it could result in a person experiencing a malicious ad campaign. It is difficult to fully view URLs and content in general on mobile screens, making it easier for attackers to hide in plain sight.

It is common for financial enterprises to have traditional security in place to protect against email phishing, but with so many mobile phishing avenues, more is needed to protect the wider mobile environment.

Mobile phishing prevention

While it is common for businesses to implement phishing awareness training to help the workforce gain a better understanding of the potential threats, it is not enough to eliminate mobile phishing, especially given recent changes in European law. As of November 2018, all EU member states must adhere to the standards set by the European Commission NIS Directive, which is the first EU-wide cybersecurity legislation. By following these guidelines, financial firms can operate remotely, and on mobile, knowing that safeguards are in place to protect sensitive data. Yet, some financial services still forget to implement dedicated mobile phishing and content protections, not realising that mobile devices are their own entity which cannot be protected by traditional security methods.

With more sensitive data flowing through these endpoints, financial organisations require solutions to meet their mobile cybersecurity needs. Ideally, the mobile security solution will inspect any URL requests from email (corporate or personal), SMS texts, messaging apps, and those embedded in app browsers, blocking requests for websites deemed malicious by the security provider. For example, this will inhibit a phished employee from potentially entering login credentials to a malicious replica of an Office 365 login page.

The endpoint security should also offer continued and total visibility into the business’s mobile risk landscape. The financial sector will always be a lucrative target for cybercriminals, so when it comes to cybersecurity, no chances can be taken. Hackers continually find ingenious ways to exploit the network, and the introduction of mobile devices has presented a plethora of phishing opportunities. On mobile, phishing threats can come from any app, whether personal or for work, and for this reason, the encounter rate for mobile phishing is very high in the enterprise As a result, it is critical for the finance industry to be prepared with the right mobile phishing protection to effectively safeguard sensitive data.